All of lore.kernel.org
 help / color / mirror / Atom feed
From: Linus Torvalds <torvalds@linux-foundation.org>
To: "Luck, Tony" <tony.luck@intel.com>
Cc: Andi Kleen <ak@linux.intel.com>,
	Ard Biesheuvel <ard.biesheuvel@linaro.org>,
	Joe Konno <joe.konno@linux.intel.com>,
	"linux-efi@vger.kernel.org" <linux-efi@vger.kernel.org>,
	Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
	Jeremy Kerr <jk@ozlabs.org>, Matthew Garrett <mjg59@google.com>,
	Peter Jones <pjones@redhat.com>,
	Andy Lutomirski <luto@kernel.org>,
	James Bottomley <james.bottomley@hansenpartnership.com>
Subject: Re: [PATCH] efivarfs: Limit the rate for non-root to read files
Date: Wed, 21 Feb 2018 17:58:37 -0800	[thread overview]
Message-ID: <CA+55aFzJXsPcsJ5MtsxTp2n+43xC0yGzANLNcDm1mFbZKR75FQ@mail.gmail.com> (raw)
In-Reply-To: <20180222014505.2l76ccrrs36y3b26@agluck-desk>

On Wed, Feb 21, 2018 at 5:45 PM, Luck, Tony <tony.luck@intel.com> wrote:
>
> Linus suggested per-user rate limit to solve this.

Note that you also need to serialize per user, because otherwise..

> +       if (!__ratelimit(&file->f_cred->user->ratelimit))
> +               usleep_range(10000, 10000);

..this doesn't really ratelimit anything, because you can just start a
thousand threads, and they all end up being rate-limited, but they all
just sleep for 10ms each, so you can get a hundred thousand accesses
per second anyway.

To fix that, you can either:

 - just make it return -EAGAIN instead of sleeping (which probably
just works fine and doesn't break anything and is simple)

 - add a per-user mutex, and do the usleep inside of it, so that
anybody who tries to do a thousand threads will just be serialized by
the mutex.

Note that the mutex needs to be per-user, because otherwise it will be
a DoS for the other users.

Of course, to avoid *another* DoS, the mutex should probably be
interruptible, and return -EAGAIN, so that you don't have a thousand
thread waiting for the mutex and have something that is effectively
unkillable for ten seconds.

Can it be hard and annoying to avoid DoS by rate limiting? Why, yes.
Yes it can.

                Linus

  reply	other threads:[~2018-02-22  1:58 UTC|newest]

Thread overview: 71+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-02-15 18:22 [PATCH 0/2] efivars: reading variables can generate SMIs Joe Konno
2018-02-15 18:22 ` [PATCH 1/2] fs/efivarfs: restrict inode permissions Joe Konno
2018-02-20 19:18   ` Andy Lutomirski
2018-02-20 21:18     ` Luck, Tony
2018-02-20 21:22       ` Matthew Garrett
2018-02-20 21:32         ` Luck, Tony
2018-02-20 21:35           ` Matthew Garrett
2018-02-20 22:01       ` Linus Torvalds
2018-02-20 23:30         ` Luck, Tony
2018-02-20 23:39           ` Matthew Garrett
2018-02-20 23:50             ` Luck, Tony
2018-02-21  0:49           ` Linus Torvalds
2018-02-21  1:05             ` Luck, Tony
2018-02-21  2:16               ` Linus Torvalds
2018-02-21  9:03                 ` Ard Biesheuvel
2018-02-21 18:02                   ` Linus Torvalds
2018-02-21 18:21                     ` Andi Kleen
2018-02-21 19:47                       ` Luck, Tony
2018-02-21 19:50                         ` Linus Torvalds
2018-02-21 19:58                           ` Luck, Tony
2018-02-21 20:40                             ` Linus Torvalds
2018-02-22  1:45                               ` [PATCH] efivarfs: Limit the rate for non-root to read files Luck, Tony
2018-02-22  1:58                                 ` Linus Torvalds [this message]
2018-02-22  5:34                                   ` Luck, Tony
2018-02-22 17:10                                     ` Eric W. Biederman
     [not found]                                     ` <CA+55aFy0hRexJkLbN7t31LjfGr4Ae0W5g6sBMqHHJi8aYuGKeA@mail.gmail.com>
     [not found]                                       ` <612E894E-62C8-4155-AED8-D53702EDC8DC@intel.com>
     [not found]                                         ` <CA+55aFxeBaTbwvbWqx1MKYjKKzLUs=1O43Bx2=JaO8qrnY-8HA@mail.gmail.com>
2018-02-22 17:15                                           ` [PATCH v2] " Luck, Tony
2018-02-22 17:39                                             ` Linus Torvalds
2018-02-22 17:54                                               ` Luck, Tony
2018-02-22 18:07                                                 ` Linus Torvalds
2018-02-22 18:08                                                   ` Ard Biesheuvel
2018-02-23 20:34                                                     ` Andy Lutomirski
2018-02-23 19:47                                         ` [PATCH] " Peter Jones
2018-02-21 19:52                       ` [PATCH 1/2] fs/efivarfs: restrict inode permissions Linus Torvalds
2018-02-24 20:06                   ` Alan Cox
2018-02-25 10:56                     ` Ard Biesheuvel
2018-02-21  0:49         ` Peter Jones
2018-02-20 23:19     ` Andy Lutomirski
2018-02-15 18:22 ` [PATCH 2/2] efi: restrict top-level attribute permissions Joe Konno
2018-02-15 18:22   ` Joe Konno
2018-02-16 10:41 ` [PATCH 0/2] efivars: reading variables can generate SMIs Ard Biesheuvel
2018-02-16 10:55   ` Borislav Petkov
2018-02-16 10:58     ` Ard Biesheuvel
2018-02-16 11:08       ` Borislav Petkov
2018-02-16 11:18         ` Ard Biesheuvel
2018-02-16 11:18           ` Ard Biesheuvel
2018-02-16 18:48           ` Joe Konno
2018-02-16 18:48             ` Joe Konno
2018-02-16 18:58             ` Borislav Petkov
2018-02-16 19:22             ` Peter Jones
2018-02-16 19:31               ` Ard Biesheuvel
2018-02-16 19:51                 ` Matthew Garrett
2018-02-16 19:51                   ` Matthew Garrett
2018-02-16 19:32               ` Luck, Tony
2018-02-16 19:54                 ` Peter Jones
2018-02-16 20:51   ` James Bottomley
2018-02-16 20:51     ` James Bottomley
2018-02-16 21:09     ` Luck, Tony
2018-02-16 21:09       ` Luck, Tony
2018-02-16 21:45       ` Andy Lutomirski
2018-02-16 21:58         ` Matthew Garrett
2018-02-16 22:02           ` Luck, Tony
2018-02-16 22:02             ` Luck, Tony
2018-02-16 22:03             ` Matthew Garrett
2018-02-16 22:03               ` Matthew Garrett
2018-02-17 18:12               ` Andy Lutomirski
2018-02-17 18:12                 ` Andy Lutomirski
2018-02-16 22:05       ` Peter Jones
2018-02-17  9:36         ` Ard Biesheuvel
2018-02-17  9:36           ` Ard Biesheuvel
2018-02-17 16:17           ` Andi Kleen
2018-02-17 16:17             ` Andi Kleen

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=CA+55aFzJXsPcsJ5MtsxTp2n+43xC0yGzANLNcDm1mFbZKR75FQ@mail.gmail.com \
    --to=torvalds@linux-foundation.org \
    --cc=ak@linux.intel.com \
    --cc=ard.biesheuvel@linaro.org \
    --cc=james.bottomley@hansenpartnership.com \
    --cc=jk@ozlabs.org \
    --cc=joe.konno@linux.intel.com \
    --cc=linux-efi@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=luto@kernel.org \
    --cc=mjg59@google.com \
    --cc=pjones@redhat.com \
    --cc=tony.luck@intel.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.